Go to: typo3.com Home TYPO3 Association Home typo3.org Home FLOW3 Bugtracker Forge (Development Platform) News Buzz (TYPO3 Blogs) Support (Mailinglist Archive, Beta) Wiki Mailing lists

Search:

Component Type: Third party extension. The extension is not part of the
TYPO3 default installation

Affected Versions: 1.2.2 and earlier

Vulnerability Type: Header Injection

Severity: HIGH

Problem Description:
A problem has been discovered in the extension, which allows attackers to send arbitrary mail headers and similar, which can lead to misuse of the extension.

Solution:
An updated version 1.2.3 is available in the extension repository and at typo3.org/extensions/repository/view/tipafriend/1.2.3/

Users of the extension tipafriend are advised to update the extensionimmediately.

General advice:
Follow the recommendations that are given in the TYPO3 Security Cookbook.

Credits:
Thanks to security team members Thorsten Kahler and Andreas Otto, who discovered the issue and provided a fix when reporting it to the security team.